Large scale credit and debit card security breaches have highlighted the need for improved data security for financial transactions and other types of digital access control. Europe has implemented “chip-and-pin” (Euro/MasterCard/VISA “EMV”) financial account cards to improve security for in-store transactions where the chip-and-pin card is physically present at the point of sale. The United States is currently in the process of converting to the chip-and-pin (EMV) standard to obtain the same type of security improvement in this country. At present, however, chip-and-pin technology only provides improved security for transactions when the chip-and-pin card is physically preset to be processed by a point-of-sale chip-and-pin card reader. Because chip-and-pin readers are generally not available at the homes of individuals and other locations used to conduct online commerce, chip-and-pin technology will not improve the security online transactions, which are the most vulnerable type of transaction. During the online transaction process, sensitive personal and financial transaction data is vulnerable to hijacking when stored in browser cookies and other storage locations on the host computer. The data is also vulnerable to hackers when sent from the host computer used by the online consumer to the web account and payment gateway of the merchant processing the online transactions. This data is often encrypted when it reaches a secure website (e.g., https), but is may not be encrypted on the data initial link from the host computer to the secure site.
This initial data link presents a number of points vulnerable to hackers during online commerce transactions including, among others, keystroke monitoring when personal data and financial card data is entered into the host computer, browser cookies storing the consumer's personal data and financial card data, and storage of this and other personal data on the webserver of the online merchant. One approach to providing chip-and-pin type security for online purchases would be to provide individual consumers with chip-and-pin readers to utilize as part of their personal computer equipment. But this would be extremely expensive, however, and at least partially ineffective because consumers are unlikely to have their own chip-and-pin terminal with them everywhere they want to conduct online commerce in the increasingly mobile computing environment. In addition, chip-and-pin terminals are presently limited to merchant accounts which require payment of monthly fees that few individual consumers would be willing to pay. Issuing a large number of chip-and-pin terminals to end-use consumers would also blur the distinction between merchants and consumers and impose multiple layers of transaction processing that the financial transaction infrastructure is not presently configured to accommodate.
There is, therefore, a need for a convenient and effective mechanism for securing online transactions. More specifically, there is a need for cost effective mechanisms for providing chip-and-pin type security for online transactions without requiring major changes to the financial transaction infrastructure.